testing/cpio: new aport

6 files changed, 468 insertions, 0 deletions

diff --git a/testing/cpio/001-cpio-2.11-stdio.in.patch b/testing/cpio/001-cpio-2.11-stdio.in.patch
new file mode 100644
index 0000000000..bbdaeead3a
--- /dev/null
+++ b/testing/cpio/001-cpio-2.11-stdio.in.patch
@@ -0,0 +1,14 @@
+diff -urNp cpio-2.11-orig/gnu/stdio.in.h cpio-2.11/gnu/stdio.in.h
+--- cpio-2.11-orig/gnu/stdio.in.h	2010-03-10 10:27:03.000000000 +0100
++++ cpio-2.11/gnu/stdio.in.h	2012-06-04 10:23:23.804471185 +0200
+@@ -139,7 +139,9 @@ _GL_WARN_ON_USE (fflush, "fflush is not 
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ #undef gets
++#if HAVE_RAW_DECL_GETS
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
+
diff --git a/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch b/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch
new file mode 100644
index 0000000000..86ab61af8e
--- /dev/null
+++ b/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch
@@ -0,0 +1,134 @@
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b3e8e60..cf186da 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+  setstat04.at\
+  setstat05.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+new file mode 100644
+index 0000000..cbf4aa7
+--- /dev/null
++++ b/tests/symlink-bad-length.at
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length is out of range
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff --git a/tests/symlink-long.at b/tests/symlink-long.at
+new file mode 100644
+index 0000000..d3def2d
+--- /dev/null
++++ b/tests/symlink-long.at
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 8f3330b..590bdcb 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -31,6 +31,8 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+ 
+ m4_include([setstat01.at])
+
diff --git a/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch b/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch
new file mode 100644
index 0000000000..c7dcb03354
--- /dev/null
+++ b/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch
@@ -0,0 +1,31 @@
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index cbf4aa7..d8d250b 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -37,13 +37,20 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ 
+ AT_CHECK([
+ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+-cpio -ntv < ARCHIVE
+-test $? -eq 2
++TZ=UTC cpio -ntv < ARCHIVE 2>stderr
++rc=$?
++cat stderr | grep -v \
++    -e 'stored filename length is out of range' \
++    -e 'premature end of file' \
++    -e 'archive header has reverse byte-order' \
++    -e 'memory exhausted' \
++    >&2
++echo >&2 STDERR
++test "$rc" -ne 0
+ ],
+ [0],
+-[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length is out of range
+-cpio: premature end of file
++[-rw-rw-r--   1 10029    10031          13 Nov 25 11:52 FILE
++],[STDERR
+ ])
+ 
+ AT_CLEANUP
+
diff --git a/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch b/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
new file mode 100644
index 0000000000..75a107b23a
--- /dev/null
+++ b/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
@@ -0,0 +1,153 @@
+Index: cpio-2.11/src/copyin.c
+===================================================================
+--- cpio-2.11.orig/src/copyin.c	2014-07-01 14:02:39.991007263 +0200
++++ cpio-2.11/src/copyin.c	2014-07-22 16:05:28.171344584 +0200
+@@ -686,6 +686,51 @@ copyin_link(struct cpio_file_stat *file_
+   free (link_name);
+ }
+ 
++
++static int
++path_contains_symlink(char *path)
++{
++  struct stat st;
++  char *slash;
++  char *nextslash;
++
++  /* we got NULL pointer or empty string */
++  if (!path || !*path) {
++    return false;
++  }
++
++  slash = path;
++
++  while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++    slash = nextslash;
++    *slash = '\0';
++
++    if (lstat(path, &st) != 0) {
++      if (errno == ELOOP) {
++        /* ELOOP - too many symlinks */
++        *slash = '/';
++        return true;
++      } else if (errno == ENOMEM) {
++        /* No memory for lstat - terminate */
++        xalloc_die();
++      } else {
++        /* cannot lstat path - give up */
++        *slash = '/';
++        return false;
++      }
++    }
++
++    if (S_ISLNK(st.st_mode)) {
++      *slash = '/';
++      return true;
++    }
++
++    *slash = '/';
++  }
++
++  return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1463,6 +1508,23 @@ process_copy_in ()
+ 	{
+ 	  /* Copy the input file into the directory structure.  */
+ 
++          /* Can we write files over symlinks? */
++          if (!extract_over_symlinks)
++            {
++              if (path_contains_symlink(file_hdr.c_name))
++                {
++                  /* skip the file */
++                  /*
++                  fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
++                  tape_toss_input (in_file_des, file_hdr.c_filesize);
++                  tape_skip_padding (in_file_des, file_hdr.c_filesize);
++                  continue;
++                  */
++                  /* terminate */
++	          error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
++                }
++            }
++
+ 	  /* Do we need to rename the file? */
+ 	  if (rename_flag || rename_batch_file)
+ 	    {
+Index: cpio-2.11/src/global.c
+===================================================================
+--- cpio-2.11.orig/src/global.c	2014-07-17 16:33:09.768900927 +0200
++++ cpio-2.11/src/global.c	2014-07-21 17:45:58.563494706 +0200
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with.  */
+ char *program_name;
+ 
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+    dereferencing of symlinks is done for input files.  */
+ int (*xstat) ();
+Index: cpio-2.11/src/main.c
+===================================================================
+--- cpio-2.11.orig/src/main.c	2014-07-01 14:02:39.840005051 +0200
++++ cpio-2.11/src/main.c	2014-07-17 20:33:47.839215571 +0200
+@@ -57,7 +57,8 @@ enum cpio_options {
+   FORCE_LOCAL_OPTION,            
+   DEBUG_OPTION,                  
+   BLOCK_SIZE_OPTION,             
+-  TO_STDOUT_OPTION
++  TO_STDOUT_OPTION,
++  EXTRACT_OVER_SYMLINKS
+ };
+ 
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+    N_("Create leading directories where needed"), GRID+1 },
+   {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+    N_("Do not change the ownership of the files"), GRID+1 },
++  {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++   N_("Force writing over symbolic links"), GRID+1 },
+   {"unconditional", 'u', NULL, 0,
+    N_("Replace all files unconditionally"), GRID+1 },
+   {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -413,6 +416,10 @@ crc newc odc bin ustar tar (all-caps als
+       no_chown_flag = true;
+       break;
+ 
++    case EXTRACT_OVER_SYMLINKS:		        /* --extract-over-symlinks */
++      extract_over_symlinks = true;
++      break;
++
+     case 'o':		/* Copy-out mode.  */
+       if (copy_function != 0)
+ 	error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
+Index: cpio-2.11/src/extern.h
+===================================================================
+--- cpio-2.11.orig/src/extern.h	2014-07-01 14:02:39.907006032 +0200
++++ cpio-2.11/src/extern.h	2014-07-17 17:11:20.948908806 +0200
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ 
+Index: cpio-2.11/doc/cpio.1
+===================================================================
+--- cpio-2.11.orig/doc/cpio.1	2009-02-14 19:15:50.000000000 +0100
++++ cpio-2.11/doc/cpio.1	2014-07-21 23:00:33.878746855 +0200
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+ 
+ .B cpio
+
diff --git a/testing/cpio/005-cpio-2.11-stdio.in-part2.patch b/testing/cpio/005-cpio-2.11-stdio.in-part2.patch
new file mode 100644
index 0000000000..cf7f6e9122
--- /dev/null
+++ b/testing/cpio/005-cpio-2.11-stdio.in-part2.patch
@@ -0,0 +1,68 @@
+--- cpio-2.11/src/copyin.c	2010-02-15 10:02:23.000000000 +0000
++++ cpio-2.11/src/copyin.c.new	2015-06-25 19:16:47.788864922 +0000
+@@ -125,9 +125,29 @@ tape_skip_padding (int in_file_des, off_
+     tape_toss_input (in_file_des, pad);
+ }
+ 
+-
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  char *link_name;
++
++  if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
++    {
++      error (0, 0, _("%s: stored filename length is out of range"),
++	     file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (file_hdr->c_filesize + 1);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
++
+ static void
+-list_file(struct cpio_file_stat* file_hdr, int in_file_des)
++list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+   if (verbose_flag)
+     {
+@@ -136,15 +156,12 @@ list_file(struct cpio_file_stat* file_hd
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	     char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+ 	    {
+@@ -650,10 +667,7 @@ copyin_link(struct cpio_file_stat *file_
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++     link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
diff --git a/testing/cpio/APKBUILD b/testing/cpio/APKBUILD
new file mode 100644
index 0000000000..ee6a0ab051
--- /dev/null
+++ b/testing/cpio/APKBUILD
@@ -0,0 +1,68 @@
+# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+pkgname=cpio
+pkgver=2.11
+pkgrel=0
+pkgdesc="A tool to copy files into or out of a cpio or tar archive"
+url="http://www.gnu.org/software/cpio"
+arch="all"
+license="GPL"
+depends="tar"
+depends_dev=""
+makedepends="$depends_dev"
+#install=""
+subpackages="$pkgname-doc"
+source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2
+	001-cpio-2.11-stdio.in.patch
+	002-cpio-2.11-CVE-2014-9112.patch
+	003-cpio-2.11-testsuite-CVE-2014-9112.patch
+	004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+	005-cpio-2.11-stdio.in-part2.patch
+	"
+
+_builddir="$srcdir"/$pkgname-$pkgver
+prepare() {
+	local i
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
+
+build() {
+	cd "$_builddir"
+	./configure \
+		--prefix=/usr \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		|| return 1
+	make || return 1
+}
+
+package() {
+	cd "$_builddir"
+	make DESTDIR="$pkgdir" install || return 1
+	rm -f "$pkgdir"/usr/lib/charset.alias
+	rm -f "$pkgdir"/usr/libexec/rmt # part of the tar pkg
+}
+
+md5sums="20fc912915c629e809f80b96b2e75d7d  cpio-2.11.tar.bz2
+db5b098b6765478a4b62cf42b059248e  001-cpio-2.11-stdio.in.patch
+007485ebf1bc2d8b4a7fd67dce4a9739  002-cpio-2.11-CVE-2014-9112.patch
+af27df259d12ff0414b38e2ab0bef9a9  003-cpio-2.11-testsuite-CVE-2014-9112.patch
+d85769d9b56a27008e0ad246d6e5805a  004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+d379203af39a48671aede692f1a14c47  005-cpio-2.11-stdio.in-part2.patch"
+sha256sums="bb820bfd96e74fc6ce43104f06fe733178517e7f5d1cdee553773e8eff7d5bbd  cpio-2.11.tar.bz2
+7e953ee60878ae1b840cd5dcab36afa80db63bddc86aaab791746108bbd87256  001-cpio-2.11-stdio.in.patch
+ab6d390892e1f61110ad8bfc6554ed2fe9f9b3252ae43a2fe9cd04e110ad9c69  002-cpio-2.11-CVE-2014-9112.patch
+018a183c70d1708f58a0777b77344691d4b621107d669e469dfd180b2386f36a  003-cpio-2.11-testsuite-CVE-2014-9112.patch
+2fc99ca2c86fbbf0b586a8159c459034b1016f0efcd9a02aceaf263840f432b9  004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+176fda78943be8cdef7fb62dea301020b51681827c91fcf32c42725be255d2eb  005-cpio-2.11-stdio.in-part2.patch"
+sha512sums="b6ccb3e121ea29780219d21c9cd6267c2f7b7ae72fb899bb80e1c54cc33e9eac5363443d93dbfbe37e8e8d295dad2724ac607f0543cc62797919605f68c396aa  cpio-2.11.tar.bz2
+9c03762aa7192c888bd2c83238183085d7f8b74c49f7dfc1f67a196a579b0394aa031f3c850bbdd9519515cff987b95c2c835afbffa366c9296e114423daca76  001-cpio-2.11-stdio.in.patch
+2370d376b62cb61513fcf62ae360fa356c63d6272d6f8b412a448df20f86eb98e8121452d602ae5ac87d0e7be3142c38213fecbf9f05ddc2e82da2eaec2ca10f  002-cpio-2.11-CVE-2014-9112.patch
+67d4cd4235674007022381838dd811c4149d8c0a6205ce940d109c26ef72334d0c715605e9ab37e51212061c1c89b053f82b63d4f8a397977ce349d224edaa70  003-cpio-2.11-testsuite-CVE-2014-9112.patch
+5a7c4090bb80fc3591825747c02b3f446c3a4bf58e6be0d4cbcc6ade9c795636add67ea38d4e753c6252b9b7e76370e36b0d5355089cd26a18fcaed6cc9907de  004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+1b3fd9e695314d6d468215bd2fbaadd850ff864502f51d840e1ab8452fea0bc9779fba906559ed4c47a11f909519506cd6fc0a8990248f8c63bc8f1c683108e8  005-cpio-2.11-stdio.in-part2.patch"